High severity8.2GHSA Advisory· Published May 8, 2026· Updated May 12, 2026
CVE-2026-42353
CVE-2026-42353
Description
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
i18next-http-middlewarenpm | < 3.9.3 | 3.9.3 |
Affected products
2- Range: < 3.9.3
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.